[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [office] Passwords
On Tue, 2006-28-11 at 10:59 +0000, Dave Pawson wrote: > > That's a good idea, though I note that since this spec was written some > > new attacks on SHA1 have appeared. Is it possible to say "use xmlenc > > _except_ we change SHA256 from RECOMMENDED to REQUIRED"? [snip] > How about adding some flexibility for implementors. > I.e. list a few acceptable encryption algorithms, then require > that an implementation record the one used, which then > means that other implementations can use a number of algorithms > and we can have interop? Yes, that would be good. We can say that SHA1, SHA256, SHA512 and RIPMEND-160 are all ok (list taken from xmlenc), but all implementations must support at least SHA256 but preferably all. > The informative clauses can be used to explain the rationale for > requiring SHA256? Yes. Developers may not know that SHA1 is becoming week rather quickly. I just read that RSA expects a successful pre-image attack on SHA1 within 5-10 years. http://www.heise-security.co.uk/articles/75686/2 That _would_ render SHA1 useless for passwords. Cheers, Daniel. -- "I AM in shape. Round IS a shape."
This is a digitally signed message part
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]